Getting the status of a badge from a private repository

Question

I’m trying to get the status of a badge in a private repository (the svg image), I’m doing this from an unauthenticated location and I’m receiving the expected 404 error message.

Does anyone know how should I add the access_token information to the GET method to actually be able to get its status?

Calling the badge from URL like:

https://github.com/xx/yy/workflows/zz/badge.svg?event=push&access_token=hhhh

Returns 404.

Also, setting the token in the request's header:

headers: {'Authorization': 'token hhhh', ... }

Returns 404.

Thanks!

Answer 1

I assume you're referring to the type of badge that github provides out of the box (https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/adding-a-workflow-status-badge).

The example URL from there is (https://github.com/<OWNER>/<REPOSITORY>/actions/workflows/<WORKFLOW_FILE>/badge.svg?event=push).

To answer your question: You can't pass an access token in that query - it's simply not supported.

And even if if were possible, you also shouldn't.

It would mean you are storing a plain, unencrypted secret in your code (==repo) and therefore also on all machines you clone it to. Github access tokens cannot be limited to only allow access the status of Github actions, so that would be a big no-no from a security perspective.